1 Why are we providing this notice?
The General Data Protection Regulation (“GDPR”) applies to the collection, processing and storage of personal data undertaken by organisations within the European Economic Area (EEA), as well as to firms and organisations outside the EEA that handle personal data relating to the offering of goods or services to individuals in the EEA.
The GDPR has two key purposes: (a) to set guidelines for the collection, processing and protection of personal data and (b) to give individuals certain rights in relation to their personal data (such as to access and correct it and object to further processing).
This Privacy Notice is intended to ensure that:
- prospective investors, clients or similar contacts or, where a prospective investor, client or other similar contact is not an individual, the prospective investor’s, client’s or similar contact’s individual directors, officers, employees and/or owners; and/or
- individuals outside our organisation with whom we interact, including visitors to our website, personnel of service providers or other suppliers and others who interact with us whether via our website or by corresponding with us be other means (e.g. by emailing or phoning us), (“you”, or “your”)
are aware of the categories of your personal data Northlight Group LLP(“we”, “us” or “our”) may collect, how we collect it, what we use it for and with whom we share it in accordance with the GDPR.
Where the prospective investor, client or similar contact is not an individual please provide a copy of this Privacy Notice to those individual directors, officers, employees and/or owners whose personal data we may process.
“Personal data” means any information relating to you, but does not include data where you can no longer be identified from it such as anonymised aggregated data.
We will be a data controller in respect of your relationship with us, whether as a prospective investor or similar contact or as an individual outside our organisation with whom we interact, including visitors to our website or personnel of service providers or similar who interact with us whether via our website or by similar means. A data controller is responsible for deciding how to hold and use personal data about you. We may process your personal data ourselves or through others acting as data processors on our behalf.
We may provide supplemental privacy notices on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. These supplemental notices should be read together with this Privacy Notice.
If you have any questions about this Privacy Notice you can contact firstname.lastname@example.org.
Personal data held by us or on our behalf may include, but is not necessarily limited to, your name, address or residential address, place of business, email address, other contact details, corporate contact information, signature, employment and job history, regulatory status, correspondence records, details relating to your investment activity or preferences, job title, correspondence records, information about how you use our website, other technical data such as your IP address, browser type and version, time zone setting, location, and, when established, login data for our web portal.
The purposes for which we may collect, store and use personal data about you and our ‘lawful basis’ for processing such data are set out in the table below. The law specifies certain ‘lawful bases’ for which we are allowed to use your personal data.
|Lawful basis for processing
To undertake pre-investment steps including but not limited to: determining your eligibility to invest;required due diligence; andascertaining your investment preferences
|In order to take steps prior to the contract between you and us/the fund in which you may invest, compliance with applicable legal obligations and our legitimate interests in establishing your preferred investment strategies.
|To correspond with you.
|Our legitimate interests in responding to your enquiry, contacting you in relation to the services you provide or otherwise communicating with you in the course of our business.
|To undertake business development and marketing activities in relation to making suggestions and recommendations to you about products or services that may be of interest to you. This may include direct electronic marketing.
|Our legitimate interests in promoting our products and services and growing our business. We only send direct electronic marketing where individuals have consented to this or as otherwise permitted by the law. Individuals can opt-out of receiving such messages at any time by using the opt-out mechanisms that may be available in those messages or by contacting us at email@example.com.
|To correspond with or to disclose information to other third parties such as service providers, legal advisors, auditors and technology providers and regulatory authorities to comply with any legal obligation imposed on us or in order to pursue our legitimate business interests.
|Compliance with applicable legal obligations. Our legitimate interests in conducting our business in a proper manner.
|To maintain our records.
|Our legitimate interests in conducting our business in a proper manner.
In addition to the uses above, please note that we may also process your information where we are required by law to do so or if we reasonably believe that it is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
2.1 Special categories of personal data
There are more limited bases for processing special category personal data. This is personal data which reveals or contains racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life and sexual orientation.
We do not intend to actively collect special category data about you. Whilst we will use reasonable efforts to limit our holding of such data, please be aware that we may hold such data incidentally. For example, where:
- you volunteer special category data to us or one of our processors, such as if you send us an email containing special category data;
- documents gathered for legal / regulatory purposes contain special category data, such as a due diligence search from public sources which includes special category data.
2.2 What if you do not provide the personal data requested?
Unless and until you make a decision to:
- invest or otherwise engage in a business transaction with us or invest in one of our investment products; and/or
- engage in a business transaction with us,
at which point we will send you a copy of any relevant privacy notice, you are not required to provide us with any information (although please note that our website may automatically collect certain technical data) (further details on this are in the ‘How do we collect this information?’ section).
2.3 Change of purpose
We will only use your personal data for the purposes for which we collected it (as identified above in the ‘Purpose’ column), unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
We typically collect personal data about you when you provide information to us or others acting on our behalf:
- when communicating or transacting with us in writing, electronically, or by phone. For instance, when you request product documentation, forms of literature from us or otherwise correspond with us; and/or
In addition, we may receive personal information or data about you from third parties, such as:
- public sources or information vendors; and
- introducers, distributors or other intermediaries who market or provide services to you.
We may share your personal data with a third party where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so.
We may need to share your personal data with:
- other entities within our group as part of our regular reporting activities in company performance, in the context of a business reorganisation or group restructuring exercise or for assistance in relation to marketing and business development;
- introducers, distributors or other intermediaries who market or provide services to you;
- professional advisers including lawyers, bankers, auditors and insurers to the extent such information is relevant to their performance of their services;
- tax authorities;
- trading counterparties;
- cloud service providers; and
- any of our service providers where such information is relevant to their performance of such services;
We may share your personal data with third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal data with a regulator or to otherwise comply with applicable law or judicial process or if we reasonably believe that disclosure is necessary to protection our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
We may transfer the personal data we collect about you to non-EEA countries, including the Cayman Islands and Switzerland,where the parties listed above are based for the purposes outlined in the table above. Those countries may not have the same standard of data protection laws as the EEA.
Where this is the case, we will (or will require a processor to) put in place appropriate safeguards such as the EEA-approved standard contractual clauses to ensure that your personal data is treated in a manner that is consistent with and respects the EEA laws on data protection. If you require further information about this you can request it from firstname.lastname@example.org.
We will retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements and our legitimate interests in maintaining such personal information in our records. This will normally include any period during which we are dealing or expect to deal with you and what we consider to be a suitable period thereafter for our internal record-keeping purposes. In doing this we will have regard to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally, we will keep information relevant to our dealings with you for 7 years following the last date of activity or longer as required by applicable law or regulation.
In some circumstances your personal data may be anonymised so that it can no longer be associated with you, in which case it is no longer personal data.
Once we no longer require your personal data for the purposes for which it was collected, we will securely destroy your personal data in accordance with applicable laws and regulations.
It is important that the personal data we hold about you is accurate and current. Please let us know if your personal data which we hold changes during your relationship with us.
You have rights as an individual which you can exercise in relation to the information we hold about you under certain circumstances. These rights are to:
- request access to your personal data (commonly known as a “data subject access request”) and request certain information in relation to its processing;
- request rectification of your personal data;
- request the erasure of your personal data;
- request the restriction of processing of your personal data;
- object to the processing of your personal data;
- request the transfer of your personal data to another party.
If you want to exercise one of these rights please contact us at email@example.com.
You also have the right to make a complaint at any time to a supervisory authority for data protection issues.
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
7.2 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
8 Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless we now have an alternative legal basis for doing so.
We reserve the right to update this Privacy Notice at any time, and we will make an updated copy of such Privacy Notice available to you and notify you when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
This Privacy Notice was written with brevity and clarity in mind and is not an exhaustive account of all aspects of our collection and use of personal data. If you require any further information, please do not hesitate to contact email@example.com.